CVE-2026-7249
Location Weather Plugin WordPress Authenticated Data Modification Vulnerability
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shapedplugin | location_weather | to 3.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Location Weather plugin for WordPress has a vulnerability due to missing capability checks in two functions: splw_update_block_options() and lwp_clean_weather_transients().
This flaw allows authenticated users with Contributor-level access or higher to modify data without proper authorization.
Specifically, these users can disable all weather blocks on the site and purge all cached weather data (weather cache transients).
The nonce (a security token meant to prevent unauthorized actions) required for these operations is exposed to all authenticated users via wp_localize_script() on the init hook, making exploitation easier.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with Contributor-level access or above to disable all weather blocks on your WordPress site.
Additionally, they can purge all cached weather data, which may degrade the user experience by removing weather information and causing delays as data is re-fetched.
While it does not allow data theft or site takeover, it can disrupt the functionality of the weather features on your site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Location Weather plugin to a version later than 3.0.2 where the missing capability checks have been fixed.
If an update is not immediately available, restrict Contributor-level and above users from accessing or modifying weather blocks and cache transients until a patch is applied.
Monitor authenticated user actions related to weather blocks and cache purging to detect any unauthorized modifications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.